Administer and Configure

Forcepoint DLP
Lab Guide 1

Rev: February 2023

Public
© 2023 Forcepoint. Forcepoint and the FORCEPOINT logo are trademarks of Forcepoint.

All other trademarks used in this document are the property of their respective owners.

This document may not, in whole or in part, be copied, photocopied, reproduced, translated, or
reduced to any electronic medium or machine-readable form without prior consent in writing
from Forcepoint. Every effort has been made to ensure the accuracy of this manual. However,
Forcepoint makes no warranties with respect to this documentation and disclaims any implied
warranties of merchantability and fitness for a particular purpose.

Forcepoint shall not be liable for any error or for incidental or consequential damages in
connection with the furnishing, performance, or use of this manual or the examples herein. The
information in this documentation is subject to change without notice.

2 | Forcepoint DLP: Administrator © Forcepoint 2023

Contents
1 Getting Started with Forcepoint DLP .................................................................................. 5
1.1 Accessing Forcepoint Security Manager .................................................................... 5
1.2 Applying a Forcepoint DLP license ............................................................................. 7
1.3 Locating Forcepoint DLP components ........................................................................ 8

2 Configuring Predefined Policies........................................................................................ 10

2.1 Protecting sensitive data using a predefined policy .................................................. 10
2.2 Blocking transfers of sensitive data .......................................................................... 12
2.3 Updating multiple rules at the same time .................................................................. 14
2.4 Configuring notifications sent by a predefined policy ................................................ 16

3 Configuring Quick Policies ................................................................................................ 17

3.1 Protecting sensitive data using a quick web policy ................................................... 17

4 Adding User Directories ..................................................................................................... 19

4.1 Adding user details to Forcepoint DLP ..................................................................... 19
4.2 Configuring notifications with user details ................................................................. 22

Milestone Challenges ............................................................................................................... 24

Challenge 1: Add another predefined policy ......................................................................... 24
Challenge 2: Batch update the US PHI policy....................................................................... 24
Challenge 3: Configure the quick email policy ...................................................................... 24
Challenge 4: Configure the default notification ..................................................................... 24

© Forcepoint 2023 Forcepoint DLP: Administrator | 3

Environment Credentials:

These are the credentials that you will use during your training.

Go4labs information sent via instructor

Site: (generatedname).go4labs.net
Username: generatedfirst.generatedlast
Password: generated

Security Manager server

Domain: Fpcert
Username: Administrator
Password: Forcepoint1!

Windows test machine

Domain: fpcert
Username: tmuller
Password: Forcepoint1!

Forcepoint Security Manager (FSM)

Username: admin
Password: Forcepoint1!

Forcepoint Support Site (https://support.forcepoint.com)

Use your credentials or ask instructor.

4 | Forcepoint DLP: Administrator © Forcepoint 2023

1 Getting Started with Forcepoint DLP
1.1 Accessing Forcepoint Security Manager
Scenario:

You want to know how to find your Data Loss Prevention information.

Tasks:

1. Use the mRemote application to access the Forcepoint Security Manager.

2. Navigate to the Forcepoint DLP dashboard.
Open the web browser of your choice and navigate to the lab URL you were provided with by
your instructor. You will be presented with a login prompt for Apache Guacamole. Enter the
credentials you were provided with by your instructor.

1.1.1 Use the mRemote application to access the Forcepoint Security

Manager
1. The first screen you will see in the lab is the Landing Machine desktop.

2. Double click the mRemoteNG shortcut and the mRemote application will load.
3. Double-click the Security Manager link in the Connections tab on the left-hand side of the
window.

© Forcepoint 2023 Forcepoint DLP: Administrator | 5

 A remote desktop session will begin. You will be automatically signed in as the
Administrator user, and the Security Manager machine’s desktop will load.
4. Double-click the Forcepoint Security Manager shortcut on the desktop.
A browser window will open.
5. If you receive a certificate error, click Advanced, then click the link to Proceed
to 192.168.123.155.
The Forcepoint Security Manager sign in screen will load.

1.1.2 Navigate to the Forcepoint DLP dashboard

1. Enter the username and password shown above for Forcepoint Security Manager.
2. Click Sign in. The Forcepoint Security Manager dashboard will load.
3. Use the button in the top left-hand corner of the window to select the Data
dashboard.

You should now be able to:

 Use the mRemote application to access the Forcepoint Security Manager.

 Navigate to the Forcepoint DLP dashboard.

6 | Forcepoint DLP: Administrator © Forcepoint 2023

1.2 Applying a Forcepoint DLP license
Scenario:

You have renewed your subscription to Forcepoint DLP and have received the subscription
XML file. You want to update your subscription in FSM.

Tasks:

 Apply a Forcepoint DLP license.

1.2.1 Apply a Forcepoint DLP license

1. In your Go4Labs environment, resume the session in mRemote, access the Forcepoint
Security Manager and navigate to the Data tab.
2. Navigate to Settings > General > Subscription in the menu of the DLP manager.
Note that all subscription information currently shows as N/A – this is because the license
currently in effect is a limited one shared from the Web product, not a full DLP license.
3. Click Update on the Subscription page.
4. Click the Choose File button.
5. Navigate to C:\Forcepoint\License_Keys.

6. Double click the file DLP subscription.xml.

7. Click OK to save your changes.
A pop-up appears to confirm the subscription has been updated.
8. Click OK to re-login.
9. Sign in to FSM using the username and password above.
10. Navigate to Settings > General > Subscription on the menu.
You will now see your updated license information.

You should now be able to:

 Apply a Forcepoint DLP license.

© Forcepoint 2023 Forcepoint DLP: Administrator | 7

1.3 Locating Forcepoint DLP components
Scenario:

You want to know what components are configured in your Forcepoint DLP environment.

Tasks:

1. Navigate to the system modules list.

2. Identify the components registered in your environment.
3. Set essential configuration.

1.3.1 Navigate to the system modules list

1. In your Go4Labs environment, resume the session in mRemote, access the Forcepoint
Security Manager and navigate to the Data tab.
2. Scroll down, and in the left-hand menu, select Deployment > System Modules.
The dashboard will load the system modules list.

1.3.2 Identify the system modules registered in your environment

1. Click the + symbol next to each component in the list.
The entry will expand to show the components of that module.
2. Click the – symbol to collapse the list of components for that module.
3. Click on the title line of the Forcepoint Content Gateway Server.
4. Click on the HTTP/HTTPS tab to access those configuration settings.
5. Change the Mode from Monitoring to Blocking.
This allows the web content gateway to block any detected web incidents.

6. Click on OK in the bottom right to save your configuration changes.

7. Click the Yes button on the Deployment Needed pop-up window.
8. When the deployment is complete, confirm that each system module on the Deployment
Process page shows in the Status column.

8 | Forcepoint DLP: Administrator © Forcepoint 2023

1.3.3 Set essential configuration
1. Select Status > Dashboard in the left-hand menu.
2. In the Health Alert Summary, click the link for missing essential configurations.

3. Click Set email properties for alerts and system messages.

a. Enter the Sender email address:
“administrator@fpcert.com”.
b. Click OK.

4. Click Specify internal domains for endpoint email analysis.

a. Enter the Domain: “fpcert.com”.
b. Click Add.
c. Select Outbound at the bottom of the
window.
d. Click Save.
5. Click Yes on the Deployment Needed
window.
Other essential configuration is completed during the rest of your training.

You should now be able to:

 Navigate to the system modules list.

 Identify the system modules registered in your environment.
 Set essential configuration

© Forcepoint 2023 Forcepoint DLP: Administrator | 9

2 Configuring Predefined Policies
2.1 Protecting sensitive data using a predefined policy
Scenario:

Now that you know what a policy is and how it works, you want to detect when people share
patient medical forms using Forcepoint DLP.

Tasks:

1. Add a predefined policy.

2. Test your policy.
3. Confirm that regulatory compliance is in effect.

2.1.1 Add a predefined policy

1. In your Go4Labs environment, resume the session in mRemote, access the Forcepoint
Security Manager and navigate to the Data tab.
2. Navigate to Policy Management > DLP Policies > Manage Policies in the left-hand
menu.
3. Click the Add button on the toolbar.
4. Select Predefined Policy on the menu. The predefined policy wizard will load.
5. Click Next at the bottom of the window.
6. Select the region USA and click Next.at the bottom of the window.
7. Select the industry Healthcare and Pharma and click Next at the bottom of the window.
8. A summary of the predefined policies is displayed. Click Finish at the bottom of the
window.
9. On the policy list, select PHI: Protected Health Information.
10. Click Use Policies in the bottom right to save your selections.
11. Click Deploy to deploy your new policies to your policy engines.

2.1.2 Test your policy

1. Using mRemote, open a session to the Windows test machine.
2. Open a web browser and navigate to http://dlptest.com/http-post/.
3. Use the File Upload to attempt to upload each of the following files in Z:\Test Files:
a. Common-health-conditions.docx
b. Filled-inpatient-sheet.pdf
c. Filled-surgery-sheet.pdf
The uploads will not be blocked.

10 | Forcepoint DLP: Administrator © Forcepoint 2023

2.1.3 Confirm that regulatory compliance is in effect
1. On the Security Manager machine, navigate to Reporting > Data Loss Prevention >
Incidents (last 3 days).

2. Click on the first incident in the list.

Note that the action is “Permitted”. The rules of the policy are set to “Audit only”.

You should now be able to:

 Add a predefined policy.

 Test your policy .
 Confirm that regulatory compliance is in effect.

© Forcepoint 2023 Forcepoint DLP: Administrator | 11

2.2 Blocking transfers of sensitive data
Scenario:

Having set up the policy and monitored it for three months, all users have received training
about sharing patient data. You want to block sharing of patient medical forms.

Task:

1. View the default action plans.

2. Edit a rule to use a different action plan.
3. Test your rule.

2.2.1 View the default action plans

1. In your Go4Labs environment, resume the session in mRemote, access the Security
Manager machine and navigate to the Data tab of Forcepoint Security Manager.
2. Navigate to Policy Management > Resources > Action Plans in the left-hand menu.
3. Click on the action plan Audit Only (default action) to see the actions set for each channel.
4. Click the Cancel button at the bottom of the window.
5. Click on the action plan Block All to see the actions set for each channel.
6. Click the Cancel button at the bottom of the window.

2.2.2 Edit the rule to use a different action plan

1. Navigate to Policy Management > DLP Policies > Manage Policies in the left-hand
menu.
2. Expand the Health Data policy to see all the rules that it contains.
3. Scroll down to the rule Health Data: Name and Common Medical Condition (Default).
4. Highlight the rule and click the Edit button on the toolbar.
5. Click the Severity & Action tab.
6. Change the Action Plan from Audit Only to Block All for both levels of severity.
7. Click the OK button at the bottom of the window.
8. Click Yes to deploy your changes.

12 | Forcepoint DLP: Administrator © Forcepoint 2023

2.2.3 Test your rule
1. Once your changes have successfully deployed, return to the Windows test machine.
2. Upload the document Z:\Test Files\common-health-
conditions.docx to http://dlptest.com/http-post/.
The file will now be blocked.

3. Return to the Security Manager and view the latest incident report. If the incident does not
appear immediately, click the refresh button in the top right-hand corner.

You should now be able to:

 View the default action plans.

 Edit a rule to use a different action plan.
 Test your rule.

© Forcepoint 2023 Forcepoint DLP: Administrator | 13

2.3 Updating multiple rules at the same time
Scenario:

Now that you have monitored the policy, you want to change the action plan of all the rules in
the policy to “block” as efficiently as possible.

Task:

 Batch update action plans on a policy.

2.3.1 Batch update action plans on a policy

1. In your Go4Labs environment, resume the session in mRemote, access the Security
Manager machine and navigate to the Data tab of Forcepoint Security Manager.
2. Navigate to Policy Management > DLP Policies > Manage Policies in the left-hand
menu.
3. Highlight the Health Data policy in the list.
4. In the Manage Policies window, click More Actions on the toolbar.
5. Select Batch Operation, then Update Rules of Current Policy on the menu.
6. Select the checkbox next to Rule to select all the rules in this policy.

7. Under Rule Properties, select Severity & Action.

8. Change the Severity to High and the Action Plan to Block All for the selected rules.

9. Click OK at the bottom of the window.

10. A warning message displays to tell you that you are overwriting the settings on multiple
rules. This change cannot be undone. Click the OK button.
11. Click the Deploy button.

14 | Forcepoint DLP: Administrator © Forcepoint 2023

12. Once your policy has successfully deployed, you can test it on the Window test machine by
uploading the documents in Z:\Test Files\ to http://dlptest.com/http-post/.

You should now be able to:

 Batch update an action plan on a policy.

© Forcepoint 2023 Forcepoint DLP: Administrator | 15

2.4 Configuring notifications sent by a predefined policy
Scenario:

Having set up a policy to monitor patient medical forms, you want to send an email to key
people when a policy is triggered to tell them who triggered it and how.

Tasks:

1. Configure the settings of the default notification template.

2. Select the notification template on an action plan.

2.4.1 Configure the settings of the default notification template

1. In your Go4Labs environment, resume the session in mRemote, access the Security
Manager machine and navigate to the Data tab of Forcepoint Security Manager.
2. Navigate to Policy Management > Resources > Notifications in the left-hand menu.
3. Click Default notification to edit the notification settings.
4. On the General tab of the Notification Properties, configure the notification settings:
Sender name: DLP Administrator
Sender email address: administrator@fpcert.com

5. Click OK to save the changes to the notification settings. This is another piece of essential
configuration.

2.4.2 Select the notification template on an action plan

1. Navigate to Policy Management > Resources > Action Plans in the left-hand menu.
2. Click the Block All action plan.
3. Scroll down to the Additional Actions section.
a. Select Send email notifications.
b. Select Default notification on the list.
4. Click OK at the bottom of the window.
5. Click Deploy.
You should now be able to:

 Configure the settings of the default notification template.

 Select the notification template on an action plan.

16 | Forcepoint DLP: Administrator © Forcepoint 2023

3 Configuring Quick Policies
3.1 Protecting sensitive data using a quick web policy
Scenario:

You want to stop credit card details being shared outside your organization.

Tasks:

1. Enable and configure an attribute of the quick web policy.

2. Configure an additional attribute.
3. Test your quick policy.

3.1.1 Enable and configure an attribute of the quick web policy

1. In your Go4Labs environment, resume the session in mRemote, access the Security
Manager machine and navigate to the Data tab of Forcepoint Security Manager.
2. Navigate to Policy Management > DLP Policies > Web DLP Policy in the left-hand menu.
3. In the Attributes list, click Regulatory and Compliance.
a. Select the Enable attribute checkbox.
b. Click the No regions selected link
c. Select the region USA and click OK.
d. Select the checkbox next to Payment Card Industry (PCI DSS) to enable it.
e. Click the now active link for Payment Card Industry (PCI DSS)
f. Select the box next to PCI.
g. Set the sensitivity to Narrow.
h. Click OK in the bottom right to save your PCI policy settings.

4. In the Severity & Action section, leave the severity as High and the action as Block.

© Forcepoint 2023 Forcepoint DLP: Administrator | 17

3.1.2 Configure an additional attribute
1. In the Attributes list, click Patterns & phrases.
2. Select the Enable attribute checkbox.
a. Click the Add button.
b. In the Key phrase field enter “Customer List”.
c. Click OK to save your key phrase.

3. In the Severity & Action section, leave the severity as Medium and the action as Block.
4. Click OK in the bottom right to save your configuration.
5. Click Deploy to deploy your quick policy.

3.1.3 Test your quick policy

1. On the Windows test machine, open a browser and navigate to https://dlptest.com/sample-
data/.
2. Highlight and copy five rows of sample data.
3. Navigate to http://dlptest.com/http-post/
4. Paste your sample data into the Test Message field.
5. Enter the phrase “Customer List”.
6. Click Submit. A block page should load indicating your transaction has been stopped by
Forcepoint DLP.
7. Return to the Security Manager and view the latest incident report.

You should now be able to:

 Enable and configure an attribute of the quick web policy.

 Configure an additional attribute.
 Test your quick policy.

18 | Forcepoint DLP: Administrator © Forcepoint 2023

4 Adding User Directories
4.1 Adding user details to Forcepoint DLP
Scenario:

Now that you have a policy set up, you want to know who the managers of the users are, so that
you can tell them when the policies are triggered.

Tasks:

1. Configure an Active Directory connection.

2. Change the default time for the directory import.
3. Manually import a user list from the configured directory.

4.1.1 Configure an Active Directory connection.

1. In your Go4Labs environment, resume the session in mRemote, access the Security
Manager machine and navigate to the Data tab of Forcepoint Security Manager.
2. Navigate to General > User Directories in the left-hand menu.
3. Click the New button on the toolbar.
The Add/Edit directory server configuration page is displayed.
4. Enter the details of the directory connection.
Name: Domain Controller
Type: Active Directory
Hostname: dc.fpcert.com
User distinguished name: fpcert\administrator
Password: Forcepoint1!

5. Click the Test Connection button.

If successful, a green banner message will load at the top of the page.
6. Scroll down to the Test Attributes box.
7. Enter the Sample email address: “tmuller@fpcert.com”.

© Forcepoint 2023 Forcepoint DLP: Administrator | 19

8. Click Test Attributes.
The page will refresh, and a link to View Results will appear next to the button.

9. Click the View Results link.

This sends a live query to the Active Directory. A successful test will cause a pop-up to
display with the specified user’s details.
10. Click OK at the bottom of the window to save the configured settings. This is another piece
of essential configuration.

4.1.2 Change the default time for the directory import.

1. On the User Directories page, click the Import daily at 11:00 PM link on the right-hand
side.
The Schedule User Directory Import window opens.
2. Configure the import to run once weekly, at
midnight on Saturdays.
This is ideal in environments where the user
directory structure does not change every day.
3. Click OK to save your configuration settings.

4.1.3 Manually import a user list from the configured directory.

1. On the User Directories page, select the box next to Domain Controller.
2. Click Import Now on the toolbar.
3. Click OK on the pop-up that appears to proceed with the manual import.
4. When all scheduled imports are complete, the line above the server list will indicate that
Entries are ready for policy engines.

20 | Forcepoint DLP: Administrator © Forcepoint 2023

You should now be able to:

 Configure an Active Directory connection.

 Change the default time for the directory import.
 Manually import a user list from the configured directory.

© Forcepoint 2023 Forcepoint DLP: Administrator | 21

4.2 Configuring notifications with user details
Scenario:

Having imported your user directory, you want to email notifications to the user’s manager when
they trigger a policy.

Tasks:

 Add dynamic variables to the web notification template.

4.2.1 Add dynamic variables to the web notification

1. In your Go4Labs environment, resume the session in mRemote, access the Security
Manager machine and navigate to the Data tab of Forcepoint Security Manager.
2. Navigate to Policy Management > Resources > Notifications in the left-hand menu.
3. Click Web policy violation to edit the notification settings.
4. Configure the notification settings.
Sender name: DLP Administrator
Sender email address: administrator@fpcert.com
5. At the end of the Subject field, select the arrow.
6. Select the dynamic variable: %EventTime%.
7. In the Recipients section click Edit.
a. Change the Display to Directory Entries.
b. Select tmuller on the list.
c. Add this person to the Selected list.
d. Click OK.
8. At the end of the Additional email addresses field, click the arrow button.
9. Select %Source’s Manager% on the list.

10. Click the Notification Body tab to edit the message body of the template.
11. In the message to user, enter “Severity:” at the end of the message.

22 | Forcepoint DLP: Administrator © Forcepoint 2023

12. Click the arrow button and select %Severity% on the list.

13. Click OK to save the changes to the notification settings and body.

You should now be able to:

 Add dynamic variables to the web notification template.

© Forcepoint 2023 Forcepoint DLP: Administrator | 23

Milestone Challenges
Challenge 1: Add another predefined policy
Your organization conducts business in the EU. You want to protect personal data to comply
with EU regulations.

 Add the EU General Data Protection Regulation (GDPR) predefined policies.

For further help see:
Changing the selected DLP or discovery policies (administrator help).

Challenge 2: Batch update the US PHI policy

Having completed the training phase of your policy implementation, you want to update the US
PHI policies to block all transactions.

 Update all the rules in the US PHI policy to Severity High and Action Plan Block All.
For further help see:
Updating Multiple Forcepoint DLP Policies (hack stack) or
Update rules of multiple policies (administrator help).

Challenge 3: Configure the quick email policy

Your organization has Forcepoint Email Security Gateway. you want to configure a policy that
will monitor emails for credit card details and prevent executable files being attached to emails.

 Configure the Email DLP Policy to monitor USA Payment Card Industry (PCI DSS)
data. Configure the policy to monitor for Attachment Type: Various Executables
Formats and drop the attachments, (scroll down for Severity & Action).
For further help see:
Configuring outbound and inbound email DLP attributes (administrator help).

Challenge 4: Configure the default notification

You want to add additional information to the notification message.

 Configure the Default notification template as below:

Subject: Your organization’s DLP policy was breached at %EventTime%.
Message to user: A policy breach of severity ‘%Severity%’ was found and action ‘%Action%’
was taken. Sender: '%Source%'. Message Subject: '%Details%'.

For further help see:

Configuring the Default Notification in Forcepoint DLP (hack stack) or
Adding a new message (administrator help).

24 | Forcepoint DLP: Administrator © Forcepoint 2023